Description
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
Published: 2026-01-12
Score: 2.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle
Action: Update client
AI Analysis

Impact

A flaw in the Weblate command‑line client (wlc) allows the program to skip SSL verification when accessing certain crafted URLs. This means an attacker can inject a malicious URL that the client will trust, potentially exposing data to a man‑in‑the‑middle attack. The vulnerability is based on a verification bypass flaw, classified as CWE‑295, and the developer has acknowledged that the client would mistakenly skip all SSL checks for these URLs.

Affected Systems

The affected product is the Weblate command‑line client (wlc) produced by WeblateOrg. All releases prior to version 1.17.0 are vulnerable; no specific patch versions are listed beyond 1.17.0. The issue applies to any installation of wlc that processes user‑supplied URLs, regardless of the target server.

Risk and Exploitability

The CVSS score is 2.5, indicating a low severity. The EPSS score is below 1 %, reflecting a very low likelihood of exploitation, and the vulnerability is not listed as a known exploited vulnerability in CISA’s KEV catalog. The vulnerability can likely be exercised by any user able to run wlc with crafted URLs, meaning the attack vector is a local or remote user with access to the client’s command line. Because the flaw does not grant arbitrary code execution, the consequences are limited to enabling a man‑in‑the‑middle attack on the client’s outgoing connections.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade wlc to version 1.17.0 or later, which restores SSL verification for all URLs.
  • Review and adjust any scripts or pipelines that feed crafted URLs into wlc to ensure they do not trigger the bypass.
  • After upgrading, test SSL verification by attempting to connect to a server with a self‑signed certificate; wlc should reject the connection and report verification failure.

Generated by OpenCVE AI on April 18, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2mmv-7rrp-g8xh Weblate command-line client susceptible to SSL verification skip
History

Tue, 27 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Weblate
Weblate wlc
CPEs cpe:2.3:a:weblate:wlc:*:*:*:*:*:*:*:*
Vendors & Products Weblate
Weblate wlc

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Weblateorg
Weblateorg wlc
Vendors & Products Weblateorg
Weblateorg wlc

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
Title wlc can skip SSL verification
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 2.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Weblate Wlc
Weblateorg Wlc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:07:33.376Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22250

cve-icon Vulnrichment

Updated: 2026-01-12T18:06:39.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T18:15:49.307

Modified: 2026-01-27T20:37:11.263

Link: CVE-2026-22250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses